Question : If you enable tacacs on a router/switch that already had an enable password configured on the device, and you also create an new local account with

privilege level 15 & then in the tacacs config tell the device to use local accounts for console access will the device still prompt for the enable password even though the account have level 15 access.

The confing on the console is blank.

My understanding is all local username and password are ignored when AAA new-model is enabled. you then created methods you want your device to use weather that is named method or a default method which is all lines. The Tacacs below states for console use Local accout which mentioned above we have a level 15 account for, however the old enable secret was still on the device and not been removed... what are you thoughts on this please as we had a disagreement within work. and I would like to understand this for myself as I studying this area.

My understanding is once you tie the CONSOLE group to the line cons 0, you can access via console using the username with privilege 15 and it will not ask you for the enable password. Since this dispute was at work, my advise is to use gns3 so that you can fully grasp how this works.

You'll still need to use the enable password, even if the user is assigned to privilege level 15. The reason why is that there is a difference in AAA between authentication and authorization. Authentication is the username and password, while authorization is the privilege level.

Take the following example. R1 is configured for local authentication and authorization on the console, without AAA configured. The result is that when the user logs in, not only are they authenticated, but they are authorized to privilege level 15.

Even though the username entry still has the privilege level associated with it, the AAA process is not checking this. To tell AAA to check this you need to enable exec authorization and console authorization, as follows:

I understand what you have said so far apart from ... how the aaa authorization exec CON_AUTHOR local works.

is the above command a method? the command confused me because of the syntax it exec [method name] local.. why does that say use the local database, config t is privilege mode.. sorry if I'm not making myself clear I'm just trying to understand how the 3 lines especially the 2 aaa authorization console and aaa authorization exec {name} local .. work.

The terms can definitely get confusing with how AAA works. The "exec" process means the Command Line Interface (CLI) access to the router. When you login the router wants to know a) can you access the exec process, and b) if so what privilege number or parser view should you get. This is what the exec authorization does.

The case where a user has a login but shouldn't be able to access the exec process would be like a VPN user. You normally wouldn't want your users who VPN through the router to be able to telnet/SSH to the router and login with the same credentials. In your case you want to login to the CLI, so you want your user to have exec authorization.

As for the commands, the aaa authorization console is needed because the router does not check for authorization on the console by default. This is a protection mechanism to make sure you don't lock yourself out of the router if the AAA server goes down or you make a misconfiguration. The second one, aaa authorization exec [name] local tells the router that it should check for the user's privilege level in the local database. This is where the username... privilege [num] command comes in. The other alternative for this would be to check the RADIUS or TACACS server and have it assign the privilege level for the user.